It sounds like I misunderstood the extension_whitelist method, I thought this was similar to a frontend form validation -- my intention is to only allow the user to send a png, as I need to use transparent backgrounded images in certain places, than generate the jpgs as these are used most places.

Regardless, removing the whitelist entirely yeilds the same result -- correct images in s3, but incorrect images in db.